Menu
▾
▴
openvpn-devel
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-22 16:44:29
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
to review the following change.
Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
......................................................................
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.
Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/crypto_openssl.c
1 file changed, 5 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/94/1294/1
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 7688add..04aefa2 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -789,7 +789,11 @@
#ifdef EVP_CIPH_FLAG_CTS
&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+#ifdef EVP_CIPH_FLAG_ENC_THEN_MAC
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)
+#endif
+ );
EVP_CIPHER_free(cipher);
return ret;
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Gerrit-Change-Number: 1294
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-22 17:02:46
|
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email ) Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Patch Set 1: (1 comment) Patchset: PS1: GHA run with OpenSSL 3.6.0 on macOS: https://github.com/schwabe/openvpn/actions/runs/18723419183 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1294 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Wed, 22 Oct 2025 17:02:35 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-23 09:53:42
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
to look at the new patch set (#2).
Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
......................................................................
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.
Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/crypto_openssl.c
M src/openvpn/openssl_compat.h
2 files changed, 7 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/94/1294/2
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 7688add..f596b8c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -789,7 +789,8 @@
#ifdef EVP_CIPH_FLAG_CTS
&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC));
EVP_CIPHER_free(cipher);
return ret;
}
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index e3e7cf8..fb3c9b1 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -211,4 +211,9 @@
#endif
#endif
+/* Introduced in OpenSSL 3.6.0 */
+#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC
+#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000
+#endif
+
#endif /* OPENSSL_COMPAT_H_ */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Gerrit-Change-Number: 1294
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-23 09:56:19
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
to look at the new patch set (#3).
Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
......................................................................
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.
This patch defines the flag if the SSL library does not define the flag
to also work when the SSL library is upgraded after OpenVPN has been compiled.
Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/crypto_openssl.c
M src/openvpn/openssl_compat.h
2 files changed, 7 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/94/1294/3
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 7688add..f596b8c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -789,7 +789,8 @@
#ifdef EVP_CIPH_FLAG_CTS
&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC));
EVP_CIPHER_free(cipher);
return ret;
}
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index e3e7cf8..fb3c9b1 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -211,4 +211,9 @@
#endif
#endif
+/* Introduced in OpenSSL 3.6.0 */
+#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC
+#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000
+#endif
+
#endif /* OPENSSL_COMPAT_H_ */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Gerrit-Change-Number: 1294
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-10-23 11:04:01
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email ) Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Patch Set 3: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1294 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Thu, 23 Oct 2025 11:03:51 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: Gert D. <ge...@gr...> - 2025-10-23 11:11:52
|
From: Arne Schwabe <ar...@rf...> These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. This patch defines the flag if the SSL library does not define the flag to also work when the SSL library is upgraded after OpenVPN has been compiled. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 7688add..f596b8c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -789,7 +789,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index e3e7cf8..fb3c9b1 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -211,4 +211,9 @@ #endif #endif +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ |
|
From: Gert D. <ge...@gr...> - 2025-10-23 15:47:22
|
Change and explanation make sense, and BB/GH confirms that macOS is now
happy again (this isn't a "macOS" problem but the GHA workers on macOS
discovered it first).
Your patch has been applied to the master branch.
commit a69d9b66502f13354750d8146cd038cc7a26a0bd
Author: Arne Schwabe
Date: Thu Oct 23 13:11:33 2025 +0200
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Frank Lichtenheld <fr...@li...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg33846.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-23 15:46:43
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email ) Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. This patch defines the flag if the SSL library does not define the flag to also work when the SSL library is upgraded after OpenVPN has been compiled. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33846.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto_openssl.c M src/openvpn/openssl_compat.h 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 7688add..f596b8c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -789,7 +789,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index e3e7cf8..fb3c9b1 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -211,4 +211,9 @@ #endif #endif +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1294 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-23 15:46:46
|
cron2 has uploaded a new patch set (#4) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. This patch defines the flag if the SSL library does not define the flag to also work when the SSL library is upgraded after OpenVPN has been compiled. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33846.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto_openssl.c M src/openvpn/openssl_compat.h 2 files changed, 7 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/94/1294/4 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 7688add..f596b8c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -789,7 +789,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index e3e7cf8..fb3c9b1 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -211,4 +211,9 @@ #endif #endif +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1294?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1294 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X